The Irish Data Protection Commission (DPC) served Meta with a €5.5 million fine for breaching EU data privacy law. The fine came after a years-long investigation about WhatsApp’s targeted marketing practices.
European privacy groups say the company illegally forces consumers to agree to targeted advertising to use its service. While Meta claims it operates within the legal framework, the DPC watchdog states the company was “in breach of its obligations in relation to transparency.”
The fine is one of many incurred over recent months, raising concerns about Meta’s willingness to play by European data protection standards. Privacy advocates believe the charge to be too low and criticize Irish regulators for missing the mark and refusing the European Data Protection Board’s (EDBP) request to investigate further.
Meta’s Dubious WhatsApp Data Practices
Irish regulators slapped Meta with another fine for dubious data protection practices last week. The DPC indicated the fine of €5.5 million was a consequence of WhatsApp breaching the General Data Protection Regulation (GDPR) and “its obligations in relation to transparency.”
The enquiry began in 2018 following complaints from NOYB, a Vienna-based privacy group. WhatsApp was accused of “forcing” users to consent to new data collection protocols as a prerequisite to using the app.
This allegedly violates Article 7 recital 32 of the GDPR which states user consent should be freely chosen. It also states users should be informed on an unambiguous basis and not face excessive pressure or influence. The watchdog has ordered WhatsApp to maneuver operations to comply with regulations within six months to avoid facing further fines.
Meta has openly opposed the fine and noted it would be taking action to overturn the DPC’s decision. In a statement, a Whatsapp spokesperson said they believe “the way the service operates is both technically and legally compliant.”
The fines came only two weeks after Meta was fined €390 million for Facebook and Instagram engaging in the same malpractice.
What’s Really Up With WhatsApp’s Privacy?
Despite WhatsApp touting its privacy focus and end-to-end encrypted messaging, it collects more data than you might imagine. It gathers metadata about who you contact, how you contacted them, and which IP address you’re using.
Additionally, if you use the Backup feature, your messages and media will be stored in a cloud, easily accessible by law enforcement.
While WhatsApp claims your data can’t be accessed by anyone in law enforcement, a report by Rolling Stone Magazine details an unreported FBI document where the bureau touts how easy it is to access WhatsApp messages in real time.
Ireland’s Role In EU Data Regulation
Ireland plays a key role in regulating and enforcing European data protection laws. As with many other corporate giants including Google, Apple, and Twitter, Meta leverages Ireland as a tax haven by stationing its European headquarters in the nation.
As such, the primary responsibility of regulating these giants in accordance with the EU’s GDPR falls in the hands of Irish regulators.
In response to the €5.5 million fine doled out by the DPC, the NOYB criticized them for the small fine and lack of substantial action. Max Schrems, founder of NOYB said the organization was “astonished how the DPC simply ignores the core of the case after a 4.5-year procedure.”
The DPC stated the reason for the relatively small fine is other recent fines against WhatsApp for targeted advertising practices and lack of transparency.
In November 2022, Meta incurred a fine of €225 million for violating transparency rules and another of €405 million in September for mishandling data of minors.
A Battle Over Jurisdiction: Ireland Refuses EU Investigation Request
Other European bodies also considered the fine too low and asked The European Data Protection Board (EDPB) to judge the dispute. The EDBP is a Brussels-based data regulation authority for the European Union.
The authority sent a request to Irish regulators to continue investigations into Meta’s data practices. However, Ireland refused, stating the authority doesn’t have the power to “direct an authority to engage in open-ended and speculative investigation.”
This isn’t the first time Ireland has refused to cooperate with the EU, and the EDBP is now taking the case before the European Union’s Court of Justice. Ireland’s unwillingness to cooperate with union-level regulation raises questions about the nation’s potential conflict of interest with protecting big tech.
Other Recent Updates On EU Cyber Law
Meanwhile, the EU Commision implemented the Cyber Resilience Act (CRA) to ensure device manufacturers address cybersecurity risks in a timely and effective manner. According to the commission, ransomware attacks occur every eleven seconds and “substantial penalties on manufacturers” are necessary to mitigate risks.
In November 2022, the European Parliament also boosted the protection of the EU’s essential infrastructure and updated EU law to bolster investment in strong cybersecurity. Part of this included the NIS2 directive aimed at strengthening cybersecurity requirements for medium-sized and large entities that operate and provide services in key sectors.
Protecting Your Device Identity
When you agree to a service’s terms and conditions, it’s difficult to stop them from getting your data. Always check app permissions and privacy settings to ensure you know how an app collects and handles your data. I know reading through a service’s terms and conditions is boring, but this can help too. You also can mask your device IP address and encrypt your data by using a VPN.